class-map type inspect statement with out match statement

Unanswered Question
Oct 28th, 2008

In a ZBF (IOS 12.4(20)T1, what happens if the following class-map is used in a policy which is tied to a zone pair and an interface, but the class-map does not have a "match" statement under it? Is the default to drop all since there is no match? Or since there is a "match-any" statement, does it pass all traffic? This was set up automatically by SDM 2.5 and I'm trying to figure out what will happen here?

class-map type inspect match-any no-match

class-map type inspect match-all willwork

match class-map no-match

match access-group 110

policy-map type inspect whathappens

class type inspect willwork

inspect

class class-default

drop

zone security in

zone security out

zone-pair security out-self source out destination self

service-policy type inspect whathappens

interface GigabitEthernet 0/0

description Untrusted

zone-member security out

Thanks,

Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Marwan ALshawi Tue, 10/28/2008 - 19:45

as long as the class dose not have match

no action will be taken until the match occuer

so nothing will happen

to make sure

do show policy-map whathappens interface GigabitEthernet 0/0

and see the matched traffic

it show 0

good luck

if helpful Rate

sdniel Wed, 10/29/2008 - 07:36

When you say "nothing will happen", are you saying it will "pass" all traffic or "drop" all traffic?

Marwan ALshawi Wed, 10/29/2008 - 14:46

actually it will not pass or drop

the logic is

the calss map do matching then if there any match happend then the policy map that associated with this class will look what action configured to be taken

in ur case nothing will be match so the next stage which is the action stage will not be considered

hope this helps

sdniel Thu, 10/30/2008 - 07:07

So in this case, since class-map no-match is nested within class-map willwork, which has a match-all statement match class-map no-match "anded" with access list 110, does the policy whathappens inspect packets for only access-group 110? Wou8ld the result be the same if class-map no-match did not exist at all? You state that is does not pass or drop packets, so what does it do with them?

Actions

This Discussion